Bug 9003

Summary:	golang security vulnerability (CVE-2018-7187)
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Zombie Ryushu <zombie.ryushu>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	RESOLVED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	andrey.bondrov, denis.silakov, mc2374
Version:	Plasma5
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://advisories.mageia.org/MGASA-2018-0238.html
Whiteboard:
Platform:	---	ROSA Vulnerability identifier:	CVE-2018-7187
RPM Package:	golang	ISO-related:
Bad POT generating:		Upstream:

Description Zombie Ryushu 2018-05-19 01:32:00 MSK

A flaw was found in Go Lang. The "go get" implementation in Go 1.9.4,
when the -insecure command-line option is used, does not validate the
import path (get/vcs.go only checks for "://" anywhere in the string),
which allows remote attackers to execute arbitrary OS commands via a
crafted web site (CVE-2018-7187)

Comment 1 Denis Silakov 2018-05-21 00:09:44 MSK

We already have 1.10.1 in our repos.

Comment 2 Denis Silakov 2018-05-21 00:10:53 MSK

... and 1.10.2 is on its way to the repos.